Base64 in Database

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 03-06-09 16:39

Hi everyone,

I'm making a website where users can login/register. But I want to protect myself against SQL Injections/XSS. So I have an idea, but I would like to hear if it is safe or if there are better ways :)
So this is what I am going to do:
I have this piece of PHP code:

RE: Base64 in Database

It would protect from SQL injection, but not XSS. There are faster and more secure ways to do it.
Just use strip_tags() and mysql_real_escape_string() on all user input.
Those functions are ment to protect from the vulnerabilities you mentioned.
Nice idea though...

Edit: Sessions are stored on the server, so as long as the attacker doesn't have access to the server, it's safe.

Would protect me against Sql Injection AND XSS? I knew the strip_tags function but I didn't use it because if a user types e.g. ' or '1=1-- it would have any effect... But I didn't knew the mysql_real_escape_string function, thanks for that!

Author

RE: Base64 in Database

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 03-06-09 20:55

COM wrote:

454447415244 wrote:
You really don't find a security difference between the two implementation?!

I'm note sure what you meant there so... yes?

454447415244 wrote:
Have you ever seen a good site that stores passwords as base_64?!

Did I say it was a good, secure thing and he should use that for password encryption/hasing? My memory must be bad, I could've sworn I didn't.
What I was saying was merely that what you were talking about was not what the OP meant, nor what he was requesting ideas and assistance with. It is somewhat relevant and a good topic to add on to it, merely stating that you shouldn't answer questions wrongly like it's what he's after. For all you know the OP might actually be well aware of what you're saying, maybe he's thinking of md5 hashing the passwords before base64 encoding them.

I do know well what the OP was talking about. And I felt the need to add this since he wrote:

I've chosen for base64, because there is the base64_encode en base64_decode function (not with encryptions like md5).

He never said that he wouldn't use md5 for passwords, he needed something with an ability to decrypt, so he didn't want to use md5. You previously asked why. Well, let's say he wants to safely store messages or content in a database, like these messages we write here, without worrying about sql injections. Would it be a good idea to not decode base64 before sending it off as html? No. Would it be good to hash messages like these posts or other content as md5? Good luck decoding that and posting it as readable html.
That was his point, it was a fairly decent idea, still needs xss prevention for instance as already mentioned. but the ability to decode would be important in his idea, so obviously he'd choose that.

Author

RE: Base64 in Database

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 04-06-09 05:15

Don't use strip_tags, it's still vulnerable to XSS injections. Read up on htmlentities().

As everyone else said, base64 is not secure. At all. It wouldn't be hard for an attacker to recognize that you are using base64 and then it could easily be decoded.

mysql_real_escape_string is good, but if you want to be more secure use regex to validate user input (preg_match() and preg_replace()).

MH-IA wrote:
I have another question (about PHP sessions): it it safe when I save data in the $_SESSION array? I think it is, but not sure about it

If you run any of the values from your sessions to an sql query, then it's possible to make an sql injection, so just be sure to sanitize the values. Other than that though you should be good. Really the worst thing i've seen with sessions is that I got the page to display the site's path in an error message by adding random values to the PHPSESSID cookie. Not too bad, but if you have sql vulns then it's potentially dangerous.

Author

RE: Base64 in Database

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 04-06-09 09:00

COM wrote:

454447415244 wrote:

I've chosen for base64, because there is the base64_encode en base64_decode function (not with encryptions like md5).

He never said that he wouldn't use md5 for passwords, he needed something with an ability to decrypt, so he didn't want to use md5. You previously asked why. Well, let's say he wants to safely store messages or content in a database, like these messages we write here, without worrying about sql injections. Would it be a good idea to not decode base64 before sending it off as html? No. Would it be good to hash messages like these posts or other content as md5? Good luck decoding that and posting it as readable html.
That was his point, it was a fairly decent idea, still needs xss prevention for instance as already mentioned. but the ability to decode would be important in his idea, so obviously he'd choose that.

Well, you are posting just for the sake of arguing.

If you read well, you will see that this is what he wrote:

I'm making a website where users can login/register.

So it's about logging-in and not about storing messages.
</EndOf>

Author

RE: Base64 in Database

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 04-06-09 09:52

454447415244 wrote:
Well, you are posting just for the sake of arguing.

I'm saying the same about you.

454447415244 wrote:
If you read well, you will see that this is what he wrote:

I'm making a website where users can login/register.

So it's about logging-in and not about storing messages.

If you read well you'll notice that he doesn't mention the secure storage of the passwords anywhere and that his code doesn't even include passwords, only usernames. Usernames are information usually displayed, if there are users there will probably be information stored for them that will be displayed. You got your question answered why he wanted it, you answered the wrong question, he got some extra information, now be happy and shut it.

</EndOf>

Author

RE: Base64 in Database

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 04-06-09 10:18

When I store data (base64 encoded), how can someone find out all data in the db is that way encrypted?? If someone don't know, how can it be unsafe? I'm busy with searching good methods to protect my site against XSS. Why would strip_tags not work? I mean, it removes all the html tags, right? html_enities seems like a good method, cause it replaces chars as < and > etc. I am now at school, but I will try the methods you guys mentioned this afternoon.

Author

RE: Base64 in Database

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 04-06-09 10:24

It's unsafe because it's easy to decrypt if you know what it is and most people can make an educated guess about what encryption is in use by seeing it, especially if it's a widely known one.

Author

RE: Base64 in Database

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 04-06-09 10:30

Okay, as I said, I will try out some methods later today and I have a problem with images. I have written a php script that paints an image with 5 random characters (for image validation). Now, I would like to save the 5 chars in a cookie, but of course thats very unsafe. So I have to find a method to encrypt it safely. I don't like it when bots automatically register on my website, so that's why I want it encrypted. I thought about md5 (the script encrypts the input to md5 and checks if it is the same as in the cookie), but not sure if it is that secure...

Author

RE: Base64 in Database

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 04-06-09 10:48

MH-IA wrote:
Okay, as I said, I will try out some methods later today and I have a problem with images. I have written a php script that paints an image with 5 random characters (for image validation). Now, I would like to save the 5 chars in a cookie, but of course thats very unsafe. So I have to find a method to encrypt it safely. I don't like it when bots automatically register on my website, so that's why I want it encrypted. I thought about md5 (the script encrypts the input to md5 and checks if it is the same as in the cookie), but not sure if it is that secure...

If the chars are in the cookie, that means that the bot can get the information. It would be safer if you stored them in a session variable. Then all you have to store in the cookie is the session id, which is done automatically.

Author

RE: Base64 in Database

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 04-06-09 11:15

COM wrote:

454447415244 wrote:
Well, you are posting just for the sake of arguing.

I'm saying the same about you.

454447415244 wrote:
If you read well, you will see that this is what he wrote:

I'm making a website where users can login/register.

So it's about logging-in and not about storing messages.

If you read well you'll notice that he doesn't mention the secure storage of the passwords anywhere and that his code doesn't even include passwords, only usernames. Usernames are information usually displayed, if there are users there will probably be information stored for them that will be displayed. You got your question answered why he wanted it, you answered the wrong question, he got some extra information, now be happy and shut it.

</EndOf>

Simply. You shut it. Not me!
Quit trying to be the thread moderator.
You're trying to talk instead of the OP thinking you're defending him/his ideas.
The OP post after yours has proved me right.

Oh noooo, tragedy strikes as the possibility comes up that you just don't respond to something that doesn't need responding to anyhow.
You asked why he wanted it, I answered, you got your answer, I've even said that even though you answered something wrong the extra information is somewhat relevant and might be of interest. But let's just continue to ignore any point where we might agree as that'd make it difficult for you to excuse you being upset and throwing a tantrum over what I write.
Yes, you got me, my biggest dream is to be this thread's moderator. I've been wanting that since I was a little child and I'm living out all my fantasies now that the opportunity came along. I don't know what I will do with my life now that you're on to me.
The OP's post after mine hasn't proven you right in any way. Holy balls! The OP doesn't really know how these things work and doesn't know the difference between a hash and an encryption. It's only natural that he'd ask about it if it's been brought up. It's different forms of security that's been mentioned now, the OP probably doesn't even distinguish between those when someone says that something's less secure than something else.

Now go ahead, answer it so you won't have to commit suicide over the shame of not posting a response. And let's just leave it at that.

So inputs like "<script>alert(document.cookie)</script>" and "' or '1=1--" wont work. Maybe I can send the data SHA-encrypted? Don't know if it is really more secure to store data not-encrypted?

@spyware: Thx for the link, I will take a look at it :D

Author

RE: Base64 in Database

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 04-06-09 16:24

MH-IA wrote:
Don't know if it is really more secure to store data not-encrypted?

It's not necessarily a question of safety for the site, but to protect the integrity/anonymity of the users. Let's say that your site is breached in a way that they can acquire the contents of the user/pass table. In that scenario if they are hashed with something really secure then odds are that the person can't get their passwords through it even though he has a list of the hashes.
If they're plaintext on the other hand, then he just has to look at it to know what it is they're using.

Author

RE: Base64 in Database

Member

Posts:Location:Joined: 01.01.70 Rank: Guest

Posted on 04-06-09 16:35

When I store the data SHA encrypted and I have to echo the username of someone, how can I do that? There is no function to decrypt sha.. I can store the data normal and sha encrypted, but I don't think that has any effect

Author

RE: Base64 in Database

MH-IA wrote:
When I store the data SHA encrypted and I have to echo the username of someone, how can I do that? There is no function to decrypt sha.. I can store the data normal and sha encrypted, but I don't think that has any effect

SHA is a hashing algorithm. it is not reversible. You need to use an encryption method (base64 for example) to be able to reverse it.